Privacy Policy
Last Updated on November 2025
summie B.V. ("summie", "we", "our", "us") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes how we collect, use, store and protect personal data when you use our website (summie.co), our apps and the summie collaboration platform for entrepreneurs and accountants ("Services").
This policy applies to:
· Entrepreneurs (B2C) who use summie to manage receipts, invoices, documents and financial administration.
· Accountants and accounting firms (B2B) who use summie to collaborate with clients and manage administrative workflows.
This Policy is drafted in accordance with the General Data Protection Regulation (GDPR) and relevant Dutch privacy laws.
1. Who is responsible for your data?
Entrepreneurs (B2C)
For entrepreneurs using summie directly, summie B.V. is the data controller for processing that occurs within the platform.
Accountants & accounting firms (B2B)
When an accounting firm uses summie to process documents and financial data for its clients:
· The accounting firm is the data controller for all financial and administrative data processed via summie.
· summie acts as a data processor under a Data Processing Agreement (DPA).
Certain processing operations—such as account creation, security logging, billing and fraud monitoring—may be independently controlled by summie.
2. Personal data we process
We process only the personal data necessary for the proper functioning of the platform. Depending on your use of the Services, we collect the following categories:
A. Account & identity data
· Name
· Email address
· Phone number (optional)
· Business details (for accountants/firms)
· User roles and permissions
· Login and audit logs
B. Financial data
Processed only when you actively connect financial accounts or upload financial documents:
· Bank account identifiers (IBAN) provided via regulated connectivity providers
· Transaction details made available through these providers
· Transaction metadata: date, amount, description, counterparty
· Metadata needed to match transactions and documents
Collection method: Via PSD2-licensed Account Information Service Providers (AISPs) with your explicit consent.
C. Document data
· Uploaded receipts, invoices, statements, contracts and other administrative documents
· Extracted data obtained via document processing (OCR)
· Classification metadata for archive management
D. Technical & usage data
· Device type, OS, browser
· App version
· Error logs, crash logs and operational telemetry
· Security and access logs
E. Communication & support data
· Messages sent to our support team
· Information provided during onboarding
· Email correspondence
3. Purposes of processing
We process your personal data for the following purposes:
A. To provide and operate the summie platform
· Create and maintain accounts
· Process financial documents and data
· Enable accountant–client collaboration
· Provide data extraction, classification and archive functionality
· Sync with supported accounting systems
B. To support B2B accountant usage
· Managing teams, permissions and client access
· Providing audit trails and activity logs
· Supporting migrations from legacy platforms
C. Platform security & fraud prevention
· Access control
· Monitoring suspicious activity
· Protecting user accounts and data
· Ensuring system integrity
D. Platform improvement
· Understanding usage patterns (anonymized where possible)
· Troubleshooting errors
· Optimising performance
· Enhancing feature functionality
E. Customer support
· Responding to questions
· Investigating issues
· Providing onboarding assistance
F. Legal and regulatory compliance
· Complying with data retention obligations (7-year financial data retention)
· Responding to government or supervisory authority requests
4. Bank connections (PSD2)
How we access your bank data
summie connects to your bank account via PSD2-licensed Account Information Service Providers (AISPs). This is a secure, regulated method of accessing financial data.
Scope of access
What we access:
· Transaction history (typically last 90-180 days, depending on bank)
· Account holder name and IBAN
· Transaction details: date, amount, description, counterparty
What we do NOT access:
· Your bank login credentials or passwords
· Account balances (unless necessary for functionality)
· Personal bank messages or communications
Your control
· Revoke access anytime
· Access expiration: Bank connections typically expire after 90-180 days (bank dependent)
· Re-authorization: You'll be notified when access is about to expire
· Transparency: View which accounts are connected and when they were last synced
Your responsibility
· You are responsible for ensuring the correctness of the connected bank account
· You should review imported transactions for accuracy
· You remain responsible for your financial administration
Note: summie is not responsible for errors, delays or outages in data provided by banks or AISP providers.
5. Sharing personal data
We only share data with carefully selected third-party service providers that help us deliver the Services. We work exclusively with processors that meet strict security and privacy standards.
Categories of service providers
Cloud Infrastructure & Hosting
· Purpose: Secure data storage, processing and platform operation
· Location: Primarily EU/EEA data centers
· Security: Enterprise-grade encryption and access controls
Banking Connectivity Providers
· Purpose: Secure connections to financial institutions
· Regulation: Licensed under PSD2 as Account Information Service Providers (AISPs)
Document Processing Services
· Purpose: Optical Character Recognition (OCR) and automated data extraction
· Processing: Text recognition from receipts, invoices and documents
Authentication Services
· Purpose: Secure account creation and login
Error Monitoring & Diagnostics
· Purpose: Crash reporting, bug detection and platform stability
· Data: Technical logs and anonymized error reports
Communication Services
· Purpose: Transactional emails, notifications and updates
· Type: Account-related communications only (not marketing)
Professional Advisors
· Purpose: Legal, accounting, compliance and audit services
· Access: Strictly limited and under confidentiality agreements
Our safeguards
Data Processing Agreements: All service providers operate under GDPR-compliant Data Processing Agreements (DPAs)
Minimum access: Providers only access data necessary for their specific purpose
Security standards: All providers must meet our security and privacy requirements
Regular review: We continuously assess and audit our service providers
EU-focus: Where possible, we prioritize providers with EU/EEA data processing
For accountant-controlled environments, changes to subprocessors are communicated in accordance with the Data Processing Agreement applicable to accounting firms.
6. Data retention
We retain your personal data only as long as necessary for the purposes for which it was collected, and in accordance with legal obligations.
Key retention periods:
· Account and usage data: As long as your account is active
· Financial documents: 7 years (required by Dutch tax law)
· Security logs: 90 days
· Support communications: 2 years
Maximum retention: Unless legally required otherwise, personal data is deleted within 7 years after account termination or last use.
Inactive accounts: Accounts inactive for 24 months may be deleted after email notification, except where legal retention requirements apply.
For accountants: When accountants use summie to process client data, retention periods are determined by the accounting firm in accordance with professional obligations.
Deletion: After the retention period, data is permanently deleted. Backups are retained for up to 30 days.
7. Security
We implement industry-standard technical and organizational security measures to protect your personal data against unauthorized access, loss, or misuse. These measures include:
· Encryption of data in transit and at rest
· Secure authentication and access controls
· Continuous security monitoring
· Regular security audits and updates
· Strict internal access policies
For business users (accountants), detailed technical security specifications are documented in our Data Processing Agreement.
Note: While we implement strong security measures, no system can be 100% secure. We continuously work to improve our security posture.
8. Data breach response
In the event of a data breach that affects your personal data, we will:
· Take immediate action to contain and investigate the breach
· Notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours if required by law
· Inform you promptly if there is a high risk to your rights and freedoms
· Provide information about the nature of the breach, affected data, and measures taken
We maintain detailed breach response procedures as required by GDPR.
9. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect:
· Changes in the Services
· New legal requirements
· Improvements to our data practices
· User feedback
How we notify you
For significant changes:
· Email notification to all active users
· In-app notification when you next log in
For minor changes:
· Updated "Last Updated" date at the top of this policy
· Available on summie.co
Your options
If you do not agree with changes to this Privacy Policy:
· You may stop using the Services
· You may delete your account
· We will retain financial data for 7 years as legally required
Continued use of the Services after notification constitutes acceptance of the updated policy.
10. Contact
If you have any questions about this Privacy Policy or how we handle your data:
Email: hello@summie.co
Response time: We aim to respond to all inquiries within 5 working days.
If your data is managed by an accountant
If you are a client of an accounting firm that uses summie, and your data is controlled by the accountant:
· Your accountant is the data controller
· We will forward your privacy request to the appropriate controller
· You should also contact your accountant directly